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Description 

FIELD OF THE INVENTION 

5 [0001] The present invention relates to a method for providing secure access to shared information in a network 
computing environment. More particularly, the present invention relates to a method for providing efficient and secure 
access in a network to information consisting of electronically stored documents. 

BACKGROUND OF THE INVENTION 

10 

[0002] There is at present a need for methods and apparatus for providing secure access to shared information in 
a computer network environment. More specifically, there is a need for a large-scale system (i.e. one having a large 
number of users) in which a dynamically- varying subset of users is permitted access to a relatively large amount or 
grouping of associated information for a limited time duration, the time duration being user-dependent. For example, 

15 for an electronic newspaper -- i.e. an electronically-stored copy or version of a conventional printed newspaper or the 
like - a set of users (the subscribers) is permitted access to the electronic newspaper for a predetermined length of 
time in return for a user-paid subscription fee. As used herein, the term electronic newspaper is intended to broadly 
denote any grouping or set of associated, electronically-stored information to which access is to be provided to a 
relatively large and dynamically changing plurality of users. 

20 [0003] Typically, there are no significant restrictions on either the storage system or the transmission medium for 
such shared information. Thus, it would be desirable to provide a universal mechanism to prevent unauthorized access 
to the shared information. 

[0004] WO-A-91 1 2693 discloses a method as set out in the preamble of claim 1 . This method is for controlling access 
to broadcast signals. 

25 

Summary of the Invention 

[0005] According to the invention there is provided a method as set out in claim 1 . 

[0006] An advantageous method in accordance with the present invention for securely sharing information in net- 
30 works is provided through an association between the communicating parties formed using at least two cryptographic 
keys. A server contains the information to be accessed, encrypted by a first key, and the user requesting the information 
holds a second key. A "locker", associated with or accessible by -- optionally only by - the user, holds the first key in 
a form that has been encrypted (i.e. "locked") with the second key of the user, so that only that user can decrypt the 
first key and thereby enable decryption of the information to be accessed. Typically, the locker is a buffer or memory 
35 storage location at the server although it may advantageously be located anywhere on the network, as for example at 
the user's workstation. The information securement method of the present invention may thus be termed the Locker 
Key method and the first key may be denoted the Locker Key since it is stored in encrypted form in the user's locker. 
When an authorized user requests access to the stored information, the encrypted first key is placed in the user's 
locker. The user accesses his locker, employs his second key to decrypt the first key and then uses the decrypted first 
40 key to decrypt the information. The inventive method accordingly uses two symmetric cryptographic systems: (1 ) the 
first key that both encrypts and decrypts the information to be accessed, and (2) the second key that both encrypts 
and decrypts the first key. 

[0007] The inventive method provides a number of significant advantages. The information to be accessed is en- 
crypted only once and only a single copy is stored by or at the server for access by a dynamically-varying plurality of 
45 users. Moreover, the encryption of the information is performed off-line rather than at the time that any particular user 
requests access to that information. In addition, there is no need to redistribute the first key when it changes. The 
method of the invention is particularly advantageous and suitable for use in providing secure access electronic news- 
papers and multimedia documents and the like. 

[0008] The present invention may also provide users with an interface routine that integrally incorporates and restricts 
50 user access to the first key. The routine is run or executed on the user's local terminal or computer or machine which 
automatically communicates with the server, retrieves the encoded first key from the user's locker, decrypts the first 
key, uses the decrypted first key to decrypt the information from the server, and then displays the information to the 
user. When the user's permission to access the information expires, no new key is placed in the user's locker and the 
interface routine will be unable to successfully decrypt the information. 
55 [0009] The various features of novelty which characterize the invention are pointed out with particularity in the claims 
annexed to and forming a part of this disclosure. For a better understanding of the invention, its operating advantages 
and specific objects attained by its use, reference should be made to the accompanying drawings and descriptive 
matter in which there are illustrated and described several currently preferred embodiments of the invention. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

[0010] In the drawings, wherein similar reference characters denote similar elements throughout the several views: 

5 Fig. 1 is a pictorial block diagram of an embodiment of the present invention; 

Fig. 2 is a pictorial diagram of a first embodiment of the present invention for controlled access to an electronic 
newspaper; 

Fig. 3 is a pictorial diagram of a second embodiment of the present invention employing an interface routine op- 
erable for providing controlled access to the electronic newspaper; 
10 Fig. 4 is a pictorial drawing of a third embodiment of the present invention; 

Fig. 5 is a pictorial drawing of a fourth embodiment of the present invention; 

Fig. 6 is a computer source code listing of a first embodiment of a portion of an interface routine in accordance 
with the present invention; and 

Fig. 7 is computer source code listing of a second embodiment of a portion of an interface routine in accordance 
15 with the present invention. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

[001 1 ] The present invention provides a novel solution to the problem of providing secure access to shared informa- 
20 tion in a network computing environment. In general, security in communications systems involves the attributes of 
source/destination authentication, information privacy, information integrity, prevention of unintended service denial, 
and copyright enforcement. The present invention addresses primarily two of those attributes, namely authentication 
and copyright enforcement. 

[0012] The invention operatively provides secure access to shared information, such as an electronic newspaper, 
25 by a method useful in an architecture in which a network, including a group of users, may wish or seek to acquire 
access to a shared piece or set of information located in the same place (e.g. at the server). This is accomplished 
through the use of two secret encryption keys -- a first secret key K news and a second secret key K h The first secret 
key K news is also referred to herein as the "locker key" K news , which refers to the fact that during at least one step of 
the inventive method the key K news is stored in a "locker" or buffer or storage location associated with a particular user 
30 that is legitimately permitted to access the stored information (i.e. the electronic newspaper). The second secret key 
K t is the private key of the user /. Throughout this specification, the designation user /should be understood as denoting 
either a particular human operator or an application program executing at a subscriber work station or network node 
or connection. The notation E k (X), as used herein, identifies information X, such for example as an electronic newspaper 
32 (Fig. 1), that has been encrypted using the encryption key k. 
35 [0013] The inventive method is pictorially depicted in Fig. 1 to which reference should be made in considering the 
following description. 

[0014] The inventive method protects the stored information, e.g. the electronic newspaper 32, from users outside 
of the authorized group by encrypting it with the first key K news (i.e. the server's private key, generated by and known 
only to the server) . Then the key K news is made available only to users within the authorized group. Each user / is 
assigned or provided with access to a "locker". It is generally contemplated that the locker is a storage location or buffer 
1 0 at a server 30, but it may alternatively be located anywhere in the network 40. The locker key K news is placed in the 
user's buffer 10 in a form encrypted with that user's private key K h i.e. E Ki (K news ). A single copy of the electronic 
newspaper 32 is stored at or by the server 30, encrypted with the key K newsr A user /that wishes to access or view (i. 
e. purchase) that stored copy of the electronic newspaper 32 transmits his private key K t , which is known to and/or 

45 generated by the user /, to the server 30. In return, the key E Ki (K new ^ t i.e. encrypted by the key K f) is placed in 
the buffer 10 of the user /. When user / thereafter wishes to view or access the encrypted newspaper, or a portion 
thereof, user / retrieves the encrypted form of the key K news from the buffer 1 0, uses his private key K f \o decrypt the 
key K^^jj, and then uses the decrypted key K news to decrypt the encrypted newspaper or desired portion thereof. 
[0015] The first key K news and the second key K f may, for example, be defined as a series of characters, such as 

50 numbers or letters or combinations thereof. Network-generated numbers may be in binary form or may, after being 
generated, be converted to binary form. 

[0016] The exchange of information for accessing an electronic newspaper in accordance with one form of the in- 
ventive method is more particularly illustrated in Fig. 2. In the initial set-up phase, the user /tansmits his ID as an 
identification parameter -- e.g. a network identification name or number -- his credit card number (for billing purposes), 
55 and his/her private key K y to the server 30. This information is preferably en cry pted with a public key K serv of the server 
30 to prevent unintended third party access. The server 30 may, optionally, then confirm the request or subscription. 
[0017] The server's public key is assumed to be freely available to subscribers from a key registry, which is the 
equivalent of a "yellow pages" for public key cryptography. The public key K serv allows secure transmission of start-up 
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or query data to various servers, such as for storing and providing access to newspapers, weather, stock quotes, etc. 
Asymmetric cryptology by public key encryption is used only for public key K serv at this initial set-up stage for secure 
transmission of the secret information of user / to the server (e.g., the key K f ) and to mask the identity of the user. In 
contrast, the inventive method employs symmetric cryptography for subsequent encryption/decryption of data with 

5 keys Kj and K news . Thus, after the set-up stage user /' may request access to the newspaper data by sending to the 
server 30 his ID (/) with a description (data-descriptor) of the requested data. These fields may optionally be encrypted 
with the private key K,to provide user privacy, i.e. where user / does not want others to know what data he is accessing. 
The server 30 responds by sending the key K news , encrypted with the user's private key K t Then, typically, the requested 
newspaper data, encrypted with K news , is sent to user /. 

w [0018] The entire newspaper represents a rather large amount of data, and it is anticipated that user requests will 
generally be article-based - i.e. a user may first request an index of articles, with each future access seeking only one 
or more individual articles. Thus, each article in the newspaper may be individually encrypted, allowing more rapid 
access to each individual article. However, the invention is also intended to accommodate variations in which the entire 
newspaper is encrypted as a single document. 

15 [0019] The present invention provides a number of important advantages. For one, only a single encrypted copy of 
the electronic newspaper is stored on or by the server. Moreover, encryption of the newspaper is performed only once 
for a given key K news . In addition, the encryption can be done "off-line", i.e. not in "real time", thus avoiding server 
congestion at times of peak demand. 

[0020] The inventive method, as hereinabove described, provides a reasonably high measure of security. However, 
20 it is potentially susceptible to fraud by subscribers that may improperly distribute the keys K) and K news , or the decrypted 
newspaper itself, to non-subscribers or others who do not pay or otherwise properly request and obtain access to the 
information. Protection against distribution of the decrypted locker key K news is provided by frequent changing of the 
locker key. Thus, the server 30 may periodically re-encrypt the newspaper using a new locker key K' news and place 
this new key, encrypted by each respective user's private key K jt in all eligible lockers. When a user's access permission 
25 expires, that user's locker is not reloaded with the encrypted new locker key. Advantageously, in accordance with the 
invention, when the locker key changes, the server need not multicast or widely distribute the new locker key; only the 
lockers of then eligible or authorized users need to be modified. Authorized users may thus access their lockers with 
their respective private keys K/to retrieve and decrypt the encrypted new locker key, 

[0021] A second embodiment of the inventive method seeks to avoid such fraudulent behavior by restricting users' 
30 direct access to the server 30, and to the decrypted key K news , through the use of an interface routine. The interface 
routine is a relatively short software program that is sent as object code to the user /, as shown in Fig. 3, in response 
to user payment of the information access fee. The user is work station uses the interface routine to access the server 
30 in such a way that the value of the key K news is hidden from user /. This prevents user /from improperly distributing 
the key K new$ or from manually decrypting and distributing the newspaper. The interface routine acts as an extension 
35 of the server 30 that is remotely executed on the user /s hardware. Thus, all communication between the user /' and 
server 30 is performed through and by the interface routine. At each intended access of the stored information, the 
user / invokes the routine, which automatically, and without user intervention, retrieves the encrypted key E Kj (K news ) 
together with the encrypted newspaper portion of interest E^^fnews) from the server 30. The interface routine then 
uses the user is private key /C/to decrypt the locker key K news , and uses the decrypted locker key K news Xo decrypt the 
40 newspaper or data portion. The decrypted text is then sent to the user is application program or displayed on his/her 
screen, as for example in a window of a graphical user interface. 

[0022] Of course, the user / may still fraudulently redirect the displayed output to a file and distribute the file itself to 
others. However, the relatively large size of the newspaper makes it difficult and time consuming for users to download 
the entire newspaper. Thus, a user's ability to fraudulently distribute such data is limited. 

45 [0023] Since each user / knows his/her locker key K h user / could still intercept the communication between the 
routine and the network to retrieve E Kj (K news ), obtain and publicly distribute the public key K news (i.e. manually bypass 
the interface routine). According to the invention this problem is avoided by creating the user key K^from two compo- 
nents: one component Kf supplied by the user, and one component Kf supplied by the server. The key Kj is then 
computed by the server and by the interface routine, for example as K f = Kf® Kf where © denotes a bitwise exclusive- 

50 or (XOR) operation; this is depicted in Fig. 4. Thus, only the combination of the server 30 and the interface routine 
know Kf, the server-supplied Kf is hidden in the routine, and the composite key K f is not therefore known to the user 
/. Accordingly, even if a user / intercepts the communication between the server 30 and the routine, he cannot retrieve 
the key K news because he does not know K t Moreover, no user other than the intended user / can provide Kf to the 
routine to compute the composite key K,that is required to access the encrypted newspaper data, 

55 [0024] It will be recognized that a dishonest user /may yet transmit a copy of the interface routine to an unauthorized 
user /, who ccould then use the routine to access the newspaper so long as user / additionally supplies user /with his 
(secret) key component Kf. This permits user /to invoke the interface routine and to supply user /s key component 
KfXo the routine to attain access to and view the electronic newspaper. A variety of deterrents to such practice may 
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optionally be employed. 

[0025] A first deterrent is to have the interface routine, when invoked using the correct user key component Kf, 
configured to allow access to the user ts credit card number, as for example by flashing or displaying the credit card 
number of user / on the screen. Such an improvement may make user /'somewhat more reluctant to provide others 

5 with the interface program and his key component Kf. 

[0026] A second deterrent is to have the user transmit during the set-up stage -- as for example with the initial 
message from the user - (1) his credit card number and (2) a list of Internet Packet (IP) addresses of a limited number 
of machines or stations or locations from which user / anticipates seeking access to the electronic newspaper. The 
interface routine may then be configured so that each time it is invoked, it transmits to the server the IP address of the 

10 node or terminal from which it has been invoked and the routine's ID, which is itself associated with the particular user 
/. The server 30 can then confirm whether the routine was invoked from one of the previously-specified IP addresses 
and, if not, the server may (1) separately and additionally charge the user / for each such access from a machine or 
location not in the original list, (2) deny access to the machine or location not in the original list, or (3) direct all responses 
to the location of one of the previously specified IP addresses. Of course, the user / may selectively request a change 

15 of his registered IP address by sending such request to the server in suitably encrypted form, thus preventing user j 
from altering user is registration information without user is knowledge. 

[0027] A third deterrent is to have the server 30 allow only one copy of each user's interface routine to be active at 
any given time. This variation is shown in Fig. 5 and requires that the routine send its IP address to the server 30 when 
it is invoked. If the server 30 finds that the same routine is already active, it will prevent the newly-invoked routine from 
20 proceeding to retrieve either the locker key or the encrypted version of the electronic newspaper. Thus, if a user / 
distributes copies of his interface routine to one or more unauthorized users /, only one of them will be able to use the 
routine at any given time, all others being denied concurrent service. 

[0028] The herein-disclosed methods of the present invention that utilize an interface routine are, as will be appre- 
ciated, most effective if the interface routine is constructed so as to be highly tamper-resistant. For example, the routine 

25 should integrally hide the values of the required keys and key components. Preferably, the code is made sufficiently 
difficult so that "manual" processing is required to reverse engineer (i.e. disassemble) the code. Additionally, the routine 
may be written such that a forged or unauthorized version of such a routine would be readily detectable by server 30. 
[0029] Preferably, to prevent unauthorized access the routine will be frequently changed, i.e. customized and redis- 
tributed, for example, with every new electronic newspaper edition. The routine is customized to have a structure that 

30 prevents improper automatic retrieval of data from the routine code and that renders manual retrieval of data much 
more expensive in time and resources than the price of access to the data itself. Customization of the routine may, by 
way of example, involve changing the location of the keys within the routine's code or within run-time memory, changing 
the data flow of the routine's execution, or adding extra commands. In addition, the routine may interleave data and 
executable code to prevent automatic disassembling of the code. Preferably, the hidden keys may be translated into 

35 meaningful machine language instructions and the key location randomly moved within the machine code of the routine. 
Furthermore, references in the program to the location of a key can be indirect so as to require an intruder to closely 
follow the code execution flow to determine the key location. 

[0030] Figs. 6 and 7 show, by way of nonlimiting example, portions of two differently-customized routines that perform 
the same task. Two keys are hidden in different program locations that are only indirectly accessed. In these routines, 

40 the indirect access is based on the content of another memory location (FIRST and SECOND), but can also be imple- 
mented using the contents of a register. This arrangement makes it difficult to design a program operable for determining 
the location of the key. The key in both routines is, moreover, translated into a sequence of legitimate machine instruc- 
tions. These routines can accordingly hide the same key in different locations or two different keys in different locations. 
[0031] An example illustrating the operating efficiencies attainable in accordance with the present invention now be 

45 described. 

[0032] The following calculations compare the access times experienced by users accessing an electronic newspa- 
per, first in a system based on batch encryption in accordance with the inventive method, and then in a second 
system S 2 in which the encryption is performed in real time in response to user requests as in the prior art. The calcu- 
lations assume a single encryption server and that the arrivals of requests at the electronic newspaper server are 
so Poisson-distributed with parameter X. The access time in each of the systems S 1t S 2 consists of a number of compo- 
nents. 

[0033] System S 1 performs the steps of: retrieving the encrypted locker key, hereinafter 

-r(LC); retrieving the pre-computed ciphertext of the requested article, hereinafter -r(CT); and transmitting the two items 
back to the user, hereinafter -t(LC+ CT). 
55 [0034] System S 2 performs the steps of: retrieving the requested data, hereinafter -r(A); encrypting the articles, 
hereinafter -e(A)\ and transmitting the ciphertext, hereinafter t(CT). 

[0035] Assuming zero load, the access times x 1 for the system S 1 and x 2 for the system S 2 are: 
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x 1 = r(LC) + r(CT) + t(LC + CT) x 2 = r(A) + e(A) + 

t(CT) (Eq. 1) 

In general, the server-generated key LC is of fixed length, whereas the lengths of the cipher text CTand of the cleartext 
article A are random variables (r.v.). Thus, and x^are also r.v. with some distribution. Each retrieval process r(*) and 
transmittal process t(») can be modeled as a queue. Consequently, each of the systems Sf and S 2 employs a series 
of three queues in tandem. This example assumes the following relationships: 

1 . One queue is considerably more congested than others, creating a bottleneck. 

2. The time to perform the retrieval, transmission, and encryption operations is linear with the amount of data. 

is 3. The time to retrieve the encrypted locker key is considerably shorterthan the time to retrieve the article ciphertext; 

i.e., LC « CTand r(LC) « r(CT) 

4. The size of the ciphertext is proportional to and longer than the cleartext size. 

20 5. The time to encrypt a piece of data is considerably longer than the time to retrieve and/or to transmit the same 

piece of data. 

[0036] The calculations further assume that the bandwidth of the retrieval operation is considerably larger than the 
network transmission bandwidth. This last assumption, while reasonable in conventional networks, may not be valid 
25 in some systems -- as for example in gigabit networks. 

[0037] Based on the foregoing assumptions, the calculations approximate the systems S t and S 2 as single MIGI\ 
queue systems with access times given, respectively, by: 



30 



35 



45 



50 



55 



x 1 « t(LC + CT) * t(CT) and x 2 * e(A) (Eq. 2) 

[0038] The term , as used herein, defines a specific type of queue system; such a queue system is, for example, 
described in L. Kleinrock, Queuing Systems: Vol. 1: Theory (John Wiley & Sons 1975). 
[0039] By assuming the above-mentioned relationships (2), (4) and (5), we may assert that 

x~ 2 = k • ~x 2 (k > 1). 



[0040] Using the Poilaczek-Khinchin formula (L. Kleinrock, "Queueing Systems: Vol, 1 : Theory", p. 191 (John Wiley 
4 o & Sons 1 975)), the waiting times in the queues S 1 and respectively, are: 

W s =$. 1 , „ " 1 and W s = | ■ 2 H " 2 (Eq.3) 

S 1 2 (1- Pl ) s 2 2 (1-p 2 ) 



where p 1 is the utilization of queue /, and C X1 is the coefficient of variation of the process x f (i='\ t 2). The coefficient 
of variation of a random process x is defined as 

Thus, 
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2 = 1 (Eq. 4) 

W s, (1 + cj) (1 - p 2 ) 

[0041] Due to assumption (4) above, the distribution of the ciphertext length has different parameters but the same 
shape as the distribution of the cleartext length. Furthermore, by virtue of assumption (2), the times to transmit the 
ciphertext and to encrypt the cleartext are proportional to the size of the cipher and cleartext, respectively. Consequently, 
the distributions of r.v.t(CT) and e(A) have the same shape and C X1 = C^. Therefore, 

"SjJU^l (Eq . 5) 
W Sl d - P 2 ) K * } 

15 Thus, the mean waiting time for the batch system of the present invention is reduced by a factor on the order of k 2 as 
compared to the mean waiting time for the prior art real-time system. 

[0042] The mean system time (T s ) is defined as the sum of mean waiting time (W x ) and the mean service time (x), i.e. 
20 T sr W s ^~x, and ^=1^ + ^=1^ + *^ (Eqs. 6) 

Therefore, 

Ts 2 W S2 + k7^W S2 _ ^, pi) 



[0043] The access times of the systems S 1 and S 2 are compared by assuming, in Equation 7, that the average article 
30 or electronic document is on the order of 5000 bytes, that the (software-based) encryption speed is on the order of 

100Kbps, that the size of the ciphertext approximately equals the corresponding cleartext, that the transmission links 

are T1 lines (»1 .5 Mbps), and that the memory access throughput is 10 Mbps (i.e. r(CT) « t(CT)). This comparison 

indicates that the first system S 1t which employs the inventive method, has an access time of about 1 /435th, or about 

0.02%, of the access time of the second or prior art system 
35 [0044] Thus, there is realized a substantial improvement in access time by encrypting the electronic newspaper once, 

off-line, for all users as compared to individually encrypting the newspaper for each user in real-time upon arrival of 

that user's request. 

[0045] Thus, while there have been shown and described and pointed out fundamental novel features of the invention 
as applied to preferred embodiments thereof, it will be understood that various omissions and substitutions and changes 
40 in the form and details of the disclosed invention may be made by those skilled in the art without departing from the 
invention. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto. 



Claims 

45 

1. A method of controlling access to electronically-defined information among a plurality of users connected to a 
network having a server operable for assuring that the electronically-defined information is accessible by only at 
least a predetermined one of the plural users, each of said plural users having a unique first encryption key, said 
method comprising the steps of: 

50 

encrypting the electronically-defined information using a second encryption key known only to the server to 
define encrypted information; 

storing the encrypted information in network-associated electronic storage accessible through the network to 
said plurality of users; 

55 encrypting the second encryption key using the first encryption key of the predetermined user to which access 

to the electronically-defined information is to be provided so as to define an encrypted second key; 
storing the encrypted second key in an electronic storage location accessible by said predetermine user; and 
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attaining access by the predetermined user to the unencrypted electronically-defined information by: 

accessing the stored encrypted second key from a network-connected apparatus of the predetermined 
user; 

decrypting the accessed encrypted second key using the first key of the predetermined user at the appa- 
ratus of the predetermined user to recover the second encryption key; 

accessing the stored encrypted information from the network-connected apparatus of the predetermined 
user; and 

decrypting the accessed encrypted information using the recovered second encryption key to recover the 
electrically-defined information for examination of the recovered information by the predetermined user; 

CHARACTERISED IN THAT: 

each said first encryption key has a first portion (Ki u ) and a second portion (Ki s ); 
said first portion is known to both the server and the respective user; and 
said second portion is known only to the server. 

A method in accordance with claim 1 , further comprising the step of generating the second encryption key at the 
server. 

A method in accordance with claim 1 , further comprising the steps of: 

periodically generating a new second encryption key to replace a then-current second encryption key; and 
each time that a new second encryption key is generated, 

encrypting the new second encryption key using the first encryption key of the predetermined user so as to 
define a new encrypted second key; and 

storing the new encrypted second key in the electronic storage location accessible by the predetermined user 
to replace the encrypted second key previously stored in the electronic storage location for access by the 
predetermined user. 

A method in accordance with claim 3 and further comprising, each time that a new second encryption key is 
generated, the steps of: 

encrypting the electronically-defined information using the new second encryption key to define newly-en- 
crypted information; and 

storing the newly-encrypted information in the network-associated electronic storage accessible through the 
network to said plurality of users to replace the previously-stored encrypted information. 

A method in accordance with claim 1 , wherein said step of storing the encrypted second key comprises storing 
the encrypted second key in an electronic storage location accessible only by the predetermined user. 

A method in accordance with claim 1 , wherein said step of storing the encrypted information comprises storing the 
encrypted information in electronic storage associated with the server. 

A method in accordance with claim 1 , wherein said steps of accessing the stored encrypted second key, decrypting 
the accessed encrypted second key to recover the second encryption key, and decrypting the accessed encrypted 
information using the recovered second encryption key being carried out by operation of an executable program 
routine so as to restrict direct access by the predetermined user to the recovered second encryption key and 
thereby prevent unintended access to the recovered second encryption key by ones of said plural users other than 
the predetermined user. 

A method in accordance with claim 1 , wherein said steps of accessing the stored encrypted second key, decrypting 
the accessed encrypted second key to recover the second encryption key, and decrypting the accessed encrypted 
information using the recovered second encryption key being carried out by operation of an executable program 
routine at the apparatus of the predetermined user so as to restrict direct access by the predetermined user to the 
recovered second encryption key and thereby prevent unintended access to the recovered second encryption key 
by ones of said plural users other than the predetermined user. 
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9. A method in accordance with claim 1 , where in said step of storing the encrypted second key comprises storing 
the encrypted second key in an electronic storage location associated with the apparatus of the predetermined user 

10. A method in accordance with claim 1 , wherein said step of encrypting the electronically-defined information com- 
5 prises dividing the information into a multiplicity of information portions and separately encrypting each of the 

multiplicity of information portions to define encrypted information comprising a multiplicity of separately-encrypted 
portions each individually accessible by predetermined ones of said plural users. 



10 Patentansprtiche 

1 . Verfahren zum Regeln des Zugangs zu elektronisch definierten Informationen unter mehreren Benutzern, die mit 
einem Netzwerk verbunden sind, das einen Server aufweist, der betreibbar ist, urn sicherzustellen, dafB die elek- 
tronisch definierten Informationen nur mindestens einem vorbestimmten der mehreren Benutzer zuganglich sind, 

15 wobei jederdermehreren Benutzer einen eindeutigen ersten Verschlusselungsschlussel besitzt, mit den folgenden 

Schritten: 

Verschlusseln der elektronisch definierten Informationen unter Verwen dung eines zweiten Verschlusselungs- 
schlussels, der nur dem Server bekannt ist, urn verschlusselte Informationen zu definieren; 

20 

Speichern der verschliisselten Informationen in einer dem Netzwerk zugeordneten elektronischen Speiche- 
rung, die durch das Netzwerk den mehreren Benutzern zuganglich ist; 

Verschlusseln des zweiten Verschlusselungsschlussels unter Verwendung des ersten Verschlusselungs- 
25 schlussels des vorbestimmten Benutzers, dem Zugang zu den elektronisch definierten Informationen gegeben 

werden soli, urn so einen verschliisselten zweiten Schliissel zu definieren; 

Speichern des verschliisselten zweiten Schlussels in einer dem vorbestimmten Benutzer zuganglichen elek- 
tronischen Speicherstelle; und 

30 

Erlangen des Zugangs durch den vorbestimmten Benutzer zu den unverschlusselten elektronisch definierten 
Informationen durch: 

Abrufendes gespeicherten verschliisselten zweiten Schlussels von einer mit dem Netzwerk verbundenen 
35 Vorrichtung des vorbestimmten Benutzers aus; 

Entschliisseln des abgerufenen verschliisselten zweiten Schlussels unter Verwendung des ersten Schliis- 
sels des vorbestimmten Benutzers in der Vorrichtung des vorbestimmten Benutzers, urn den zweiten Ver- 
schlusselungsschlussel wiederherzustellen; 

40 

Abrufen der gespeicherten verschliisselten Informationen von der mit dem Netzwerk verbundenen Vor- 
richtung des vorbestimmten Benutzers aus; und 

Entschliisseln der abgerufenen verschliisselten Informationen unter Verwendung des wiederhergestellten 
45 zweiten Verschlusselungsschlussels, urn die elektronisch definierten Informationen zur Begutachtung der 

wiederhergestellten Informationen durch den vorbestimmten Benutzer wiederherzustellen; 

dadurch gekennzeichnet, da (3: 

50 jeder erste Verschlusselungsschlussel einen ersten Teil (Ki u ) und einen zweiten Teil (Ki s ) aufweist; 

wobei der erste Teil sowohl dem Server als auch dem jeweiligen Benutzer bekannt ist; und 
der zweite Teil nur dem Server bekannt ist. 

55 

2. Verfahren nach Anspruch 1 , weiterhin mit dem Schritt des Erzeugens des zweiten Verschlusselungsschlussels im 
Server. 
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3. Verfahren nach Anspruch 1 , weiterhin mit den folgenden Schritten: 



periodisches Erzeugen eines neuen zweiten Verschlusselungsschlussels, der einen zu diesem Zeitpunkt ak- 
tuellen zweiten Verschlusselungsschlussel ersetzen soil; und 

5 

jedesmal, wenn ein neuer zweiter Verschlusselungsschlussel erzeugt wird: 

Verschliisseln des neuen zweiten Verschlusselungsschlussels unter Verwendung des ersten Verschlus- 
selungsschlussels des vorbestimmten Benutzers, um so einen neuen verschlusselten zweiten Schlussel 
10 zu definieren; und 

Speichern des neuen verschlusselten zweiten Schlussels in der dem vorbestimmten Benutzer zugangli- 
chen elektronischen Speicherstelle, um den zuvor in der elektronischen Speicherstelle gespeicherten 
verschlusselten zweiten Schlussel zum Zugang durch den vorbestimmten Benutzer zu ersetzen. 

15 

4. Verfahren nach Anspruch 3 und weiterhin, jedesmal, wenn ein neuer zweiter Verschlusselungsschlussel erzeugt 
wird, weiterhin mit den folgenden Schritten: 

Verschliisseln der elektronisch definierten Informationen unter Verwendung des neuen zweiten Verschlusse- 
20 lungsschliissels, um neu verschiiisselte Informationen zu definieren; und 

Speichern der neu verschlusselten Informationen in der dem Netzwerk zugeordneten elektronischen Spei- 
cherung, die durch das Netzwerk den mehreren Benutzern zuganglich ist, um die zuvor gespeicherten ver- 
schlusselten Informationen zu ersetzen. 

25 

5. Verfahren nach Anspruch 1 , wobei der Schritt des Speicherns des verschlusselten zweiten Schlussels das Spei- 
chern des verschlusselten zweiten Schlussels in einer nur dem vorbestimmten Benutzer zuganglichen elektroni- 
schen Speicherstelle umfaBt. 

30 6. Verfahren nach Anspruch 1 , wobei der Schritt des Speicherns der verschlusselten Informationen das Speichern 
der verschlusselten Informationen in einer dem Server zugeordneten elektronischen Speicherung umfaftt. 

7. Verfahren nach Anspruch 1 , wobei die Schritte des Abrufens des gespeicherten verschlusselten zweiten Schlus- 
sels, des Entschlusselns des abgerufenen verschlusselten zweiten Schlussels, um den zweiten Verschlusselungs- 

35 schlussel wiederherzustellen, und des Entschlusselns der abgerufenen verschlusselten Informationen unter Ver- 

wendung des wiederhergestellten zweiten Verschlusselungsschlussels durch Betreiben einer ausfuhrbaren Pro- 
grammroutine ausgefiihrt werden, um so den direkten Zugang durch den vorbestimmten Benutzer auf den wie- 
derhergestellten zweiten Verschlusselungsschlussel einzuschranken und dadurch einen unbeabsichtigten Zugang 
zu dem wiederhergestellten zweiten Verschlusselungsschlussel durch von dem vorbestimmten Benutzer verschie- 

40 dene einzelne der mehreren Benutzer zu verhindern. 



8. Verfahren nach Anspruch 1 , wobei die Schritte des Abrufens des gespeicherten verschlusselten zweiten Schlus- 
sels, des Entschlusselns des abgerufenen verschlusselten zweiten Schlussels, um den zweiten Verschlusselungs- 
schlussel wiederherzustellen, und des Entschlusselns der abgerufenen verschlusselten Informationen unter Ver- 

45 wendung des wiederhergestellten zweiten Verschlusselungsschlussels durch Betreiben einer ausfuhrbaren Pro- 

grammroutine in der Vorrichtung des vorbestimmten Benutzers ausgefuhrt werden, um so den direkten Zugang 
durch den vorbestimmten Benutzer auf den wiederhergestellten zweiten Verschlusselungsschlussel einzuschran- 
ken und dadurch einen unbeabsichtigten Zugang zu dem wiederhergestellten zweiten Verschlusselungsschlussel 
durch von dem vorbestimmten Benutzer verschiedene einzelne der mehreren Benutzer zu verhindern, 

50 

9. Verfahren nach Anspruch 1 , wobei der Schritt des Speicherns des verschlusselten zweiten Schlussels das Spei- 
chern des verschlusselten zweiten Schlussels in einer der Vorrichtung des vorbestimmten Benutzers zugeordneten 
elektronischen Speicherstelle umfaf3t. 



55 10. Verfahren nach Anspruch 1 , wobei der Schritt des Verschlusselns der elektronisch definierten Informationen das 
Aufteilen der Informationen in mehrere Informationsteile und das getrennte Verschliisseln jedes der mehreren 
I nformationsteile umfaBt, um verschiiisselte Informationen zu definieren, die mehrere getrennt verschiiisselte Teile 
umfassen, die jeweils einzeln vorbestimmten der mehreren Benutzer zuganglich sind. 
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Revendlcations 

1. Procede de commande d'accfcs a des informations definies electroniquement parmi une plurality d'utilisateurs 
connectes a un reseau ayant un serveur exploitable pour assurer que les informations definies electroniquement 

5 sont accessibles uniquement par au moins un utilisateur predetermine des plusieurs utilisateurs, chacun desdits 

plusieurs utilisateurs ayant une premiere cle de cryptage unique, ledit procede comprenant les etapes de : 

cryptage des informations definies electroniquement en utilisant une deuxieme cie de cryptage connue uni- 
quement du serveur afin de definir des informations cryptees ; 
w memorisation des informations cryptees dans une memoire electron ique associ6e au reseau accessible par 

le biais du reseau par ladite piuralite d'utilisateurs ; 

cryptage de la deuxieme cle de cryptage en utilisant la premiere cie de cryptage de I'utilisateur predetermine 
auquel I'acces aux informations definies Electroniquement doit etre fourni de maniere a definir une deuxieme 
cle cryptee ; 

is memorisation de la deuxieme cle cryptee dans un emplacement memoire electronique accessible par ledit 

utilisateur predetermine ; et 

obtention de I'acces par I'utilisateur predetermine aux informations definies electroniquement non cryptees en : 

acc6dant a la deuxieme cie cryptee memorisee a partir d'un dispositif connecte au reseau de I'utilisateur 
20 predetermine ; 

decryptant la deuxieme cle cryptee ayant fait I'objet d'un acces en utilisant la premiere cie de I'utilisateur 
predetermine au niveau du dispositif de I'utilisateur predetermine afin de recuperer la deuxieme cle de 
cryptage ; 

accedant aux informations cryptees memoris6es a partir du dispositif connecte au reseau de I'utilisateur 
25 predetermine ; et 

decryptant les informations cryptees ayant fait I'objet d'un acces en utilisant la deuxieme cie cryptee re- 
cuperee afin de recuperer les informations definies electroniquement en vue de I'examen des informations 
r6cuper6es par i'utilisateur predetermine ; 

30 CARACTERISE EN CE QUE : 

chaque dite premiere cie de cryptage a une premiere partie (Ki u ) et une deuxieme partie (Ki s ) ; 
ladite premiere partie est connue a la fois du serveur et de I'utilisateur respectif ; et 
ladite deuxieme partie est connue uniquement du serveur. 

35 

2. Procede selon la revendication 1 , comprenant en outre I'etape de generation de la deuxieme cie de cryptage au 
niveau du serveur. 

3. Precede selon la revendication 1 , comprenant en outre les etapes de : 

40 

generation periodique d'une nouvelle deuxieme cie de cryptage afin de remplacer une deuxieme cie de cryp- 
tage alors actuelle ; et 

chaque fois qu'une nouvelle deuxieme cle de cryptage est generee, 

cryptage de la nouvelle deuxieme cie de cryptage en utilisant la premiere cie de cryptage de I'utilisateur pr6- 
45 determine afin de definir une nouvelle deuxieme cie cryptee ; et 

memorisation de la nouvelle deuxieme cie cryptee dans Pemplacement de memorisation electronique acces- 
sible par I'utilisateur predetermine afin de remplacer ta deuxieme cie cryptee precedemment memorisee dans 
remplacement de memoire electronique en vue de son acces par I'utilisateur predetermine. 

50 4. Procede selon la revendication 3, et comprenant en outre, chaque fois qu'une nouvelle deuxieme cle de cryptage 
est generee, les etapes de : 

cryptage des informations definies electroniquement en utilisant la nouvelle deuxieme cie de cryptage afin de 
definir des informations nouvellement cryptees ; et 
55 memorisation des informations nouvellement cryptees dans la memoire electronique associee au reseau ac- 

cessible par le biais du reseau par ladite piuralite d'utilisateurs afin de remplacer les informations cryptees 
precedemment m6morisees. 
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5. Proc6d6 selon la revendication 1 , dans lequel ladite etape de memorisation de la deuxieme cie cryptee comprend 
la memorisation de la deuxieme cle cryptee dans un emplacement memoire electronique accessible uniquement 
par I'utilisateur predetermine. 

6. Proc6d6 selon la revendication 1 , dans lequel ladite etape de memorisation des informations cryptees comprend 
la memorisation des informations cryptees dans une memoire electronique associee au serveur. 

7. Proc6d6 selon la revendication 1 , dans lequel lesdites Stapes d'acces a ta deuxieme cl6 cryptee m6moris6e, de 
decryptage de la deuxieme cle cryptee ayant fait I'objet d'un acces afin de r6cup6rer la deuxieme cie de cryptage, 
et de decryptage des informations cryptees ayant fait I'objet d'un acces en utilisant la deuxieme cie de cryptage 
recuperee sont effectu6es par I'operation d'un sous-programme executable de maniere a limiter I'acces direct par 
I'utilisateur predetermine a la deuxieme cle de cryptage recuperee et ainsi empecher un acces non prevu a la 
deuxieme cle de cryptage recuperee par des utilisateurs desdits plusieurs utilisateurs autres que I'utilisateur pre- 
determine. 

8. Procede selon la revendication 1 , dans lequel lesdites etapes d'acces a la deuxieme cle cryptee memorisee, de 
decryptage de ta deuxieme c!6 cryptee ayant fait I'objet d'un acces afin de r6cup6rer la deuxieme cl6 de cryptage, 
et de decryptage des informations cryptees ayant fait I'objet d'un acces en utilisant la deuxieme cie de cryptage 
recuperee sont effectuees par l'op6ration d'un sous-programme executable au niveau du dispositif de I'utilisateur 
predetermine de maniere a limiter I'acces direct par I'utilisateur predetermine a la deuxieme cle de cryptage recu- 
peree et ainsi empecher un acces non prevu a la deuxieme cle de cryptage recuperee par des utilisateurs desdits 
plusieurs utilisateurs autres que I'utilisateur predetermine. 

9. Proc6d6 selon la revendication 1 , dans lequel ladite etape de memorisation de la deuxieme cle cryptee comprend 
la memorisation de la deuxieme cie cryptee dans un emplacement memoire electronique associe au dispositif de 
I'utilisateur predetermine. 

10. Precede selon la revendication 1 1 dans lequel ladite etape de cryptage des informations d6finies electron iquement 
comprend la division des informations en une multiplicite de parties d'informations et le cryptage separe de chacune 
de la multiplicite de parties d'informations afin de definir des informations cryptees comprenant une multiplicite de 
parties cryptees separement, chacune accessible individuellement par des utilisateurs predetermines desdits plu- 
sieurs utilisateurs. 



EP 0 695 997 B1 



FIG. 1 




FIG. 



USER i 



SERVER 30 



RSAli. CREDIT CARD #, Ki) 



i. DATA-DESCRIPTORS 
(OPTIONALLY ENCRYPTED) 




CONFIRMATION (OPTIONAL) 



EKi (Knew) , EKnews(DATA) 



13 



EP 0 695 997 B1 



FIG. 3 

/V 



USER i 



SERVER 30 



RSAli, CREDIT CARD t, Ki) 



USER i 



ROUTINE 



i, DATA-DESCRIPTORS 
(OPTIONALLY ENCRYPTED) 



DATA 




ROUTINE (Ki) 



SERVER 30 



EKi (Knews), EKnews(OATA) 



USER i 



FIG. 4 

s\ 



SERVER 30 



RSA(i, CREDIT CARD #. Ki) 



USER i 



ROUTINE 



i, Ki" 



DATA-DESCRIPTOR 



-Ki=KiU©KiS 



i, OATA-OESCRIPTORS 
(OPTIONALLY ENCRYPTED) 



DATA 




Ki=Ki"$KiS 
ROUTINE (Ki s ) 



SERVER 30 



EKi (Knews) . EKnew (DATA) 



14 



EP 0 695 997 B1 



FIG. 5 

/s 



USER i 



SERVER 30 



RSAU, Ki". CREDIT *. IP) 



Ki=KiU0KiS 
ROUTINE (KiS) 




15 



EP 0 695 997 B1 



FIRST: 



HOV AX. I (FIRST) 

MOV OS. AX 
MOV SUM. 0 
CMP SUM. 100 
JNA NOT-OONE 
MOV AL. SUM 



NOT-OONE: 



MOV OS. AX 

MOVES. AX 

CMP SUH 73 

MOV SI. AX 



FIG. 6 



//INDIRECTLY JUMP THROUGH INDEXING WITH THE CONTENT 
//OF LOCATION FIRST 



//THE VALUE OF THIS LOCATION DETERMINES THE KEY OFFSET 



//OFFSET WITH FIRST POINTS HERE. THE KEY STARTS 
//HERE AND MAY 60 ON SPANNIN6 SEVERAL 
//"DUMMY" INSTRUCTIONS 



FIG. 7 

A 



MOV AX. I (SECOND) 

MOV DS. AX 
MOV SUM. 0 
MOV AL SUM 
CMP SUM. 100 
JNA NOT-OONE 



NOT-OONE 



SECOND: CMP SUM, 45 



MOV OS. AX 

MOVES. AX 

CMP SUM. 73 

MOV SI. AX 



//INDIRECTLY JUMP THROUGH INDEXING KITH THE CONTENT 
//OF LOCATION SECOND 



//THE VALUE OF THIS LOCATION DETERMINES THE KEY OFFSET 



//OFFSET WITH SECOND POINTS HERE. THE KEY STARTS 
//HERE AND MAY GO ON SPANNING SEVERAL 
//'DUMMY' INSTRUCTIONS 
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